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1 . Introduction 



(a) AFSAY D804 (fomcrly known as ASAY 4 and EEY 804), is a lew echelon 
speech secrecy dovice. It was designed and assessed in refs 1,2 and 
3, and it -was concluded that "the design offered cnly a lew degree of 
security. A modification to this machine, known as ASSAY D802 
(formerly ASSAY D804 (X-4) ) is described and assessed in ref. 4. This 
modification is designed for telephone circuits where a high degree of 
security is required. It is understood to be in use in small numbers, 
and vd.ll eventually be replaced by ASSAY D801 . 

(b) This paper describes the machine, discusses certain features of it 
and suggests some possible lines of attack. 

2* Brief Description 



(a) The equipment is "push- to- talk" . Speech is encoded on a delta- 
modulator at 25 kcs. A certain amount of random noise is fed into 
the system. The method of encipherment is similar to that of other 
cipher text autokey systems, and Figure I should be for the most 
part self-explanatory. The main novel feature is the random walk 
rings R-| and H 2 . R-j consists of the pattern 1111001000110010, and 
steps one position if sub-key kj is _1 ; if k| is it stands. R£ is 
drivai similarly by kg and consists of tie pattern 1111001101000100. 
In an obvious notation, is derived from Z-j _____ and is added 
to to produce . 

(b) The plugboard is such -that adjacent points in the delay line Q cannot 
be multiplied together. 

(c) The alarms ore understood to be as follows 
(i) Ajj and Ag (see Figure 1) are duplicated. 

(ii) Counters count hie distance between the configuration 11 in the 
inputs and outputs cf R-| and R 2 . If hi is exceeds 80 elements, 
transmission is cut off for 300 elements, so that if the 
condition persists there is a nasty buzz at both the send and 
receive end. This guards against failure of R-| or Ifc , constant 
output from A-j or and constant 0 output from Aj or A^, but 
not apparently against constant 1 output from Aj or V 

(d) The first few hundred elements cf each transmission are not trans- 
mitted (hie paradox seems to be unavoidable). 
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3. 



Notations 

The following notations are used In this paper. 

Q The AO-long delay line. 

Qi The ith stage in Q. 

Q # The last plugged stage in Q. 

f The distance "between Q , and Q^, i.e. c/ = • If the plugging is 

randan the nedian value of f is 1 and the average value 1.A2. 



Q" 

R* 

H" 

S 



The first plugged stage in Q. 

The ring \hich Q* helps to drive. 

The ring which Q” helps to drive. 

Denotes 1 sane ' , when we are conparing any two elements of the 
enciphering process at different positions of the text. 



A-. 



D Denotes 'different'. 

P, K and Z "bear their usual ncanings of plain, key and cipher. 
Synchronisation 



After AO bits of cipher text have bem transmitted Q in the receiving 
equipment will be identical with ihat in the send equipment. The expected 



je rings can be obtained by setting 
No. 36 Apjpendix I paragraph 6; 



time of coalescence of both the random wall 
P(t) =1-1 in the formula of 

*rr 

this evaluates to approximately 99- o positions. The expected total tine far 
ooaloscence is therefore AO - f + 99»6 A 138 pxisitions. This has ignored the 
fact that cne ring can begin to coalesce one or two or so pxisitions (according 
to the plugging) before the other can, 

5* Key 

The key is flat by manobits but has a slightly rough delta at distance 
cne; at higher distances the bulge decreases. See paragraph 11 (c) for 
details. 



It is conceivable that the delta properties may also be affected by 
piarticular pluggings; no work has been done to confirm this. 
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7. Coalescence 



(a) With suitable 3?/L repeats the probability of two stretches of cipher 
text coalescing at a given position so as to fom a causal cipher 
repeat seems to be approximately 2“48+f. 

(b) The actual process of coalescence is complex, as con be seen fren the 
following table. Immediately before coalescence occurs either Q 

may be D (all previous stages are S) , or R' may be offset by one 
position either way (denote this by saying that R' is D) or both 
nay be D, and in each case P nay be either S or D. The result of 
such a state nay either be 



(i) that both Z (i.c. Q) and R’ coalesce, or 

(ii) that Z (i.e. Q) coalesces but R’ does not or 

(iii) -that Z (i.e. Q) completely diverges. 



Comparison of two positions in the cipher 
text. Q is S up to but not including Q . 
R' is either in phase (S) or offset one 
(D). The other ring is 8. 


Probabilities of results 










(i) 


(ii) 


(iii) 


State 


Condition of P/L 


Q' 


R' 


coales- 

cence 


partial 

coales- 

cence 


divergence 


1 


S 


S 


D 


0 


i 

S 


1 

2 


n 


' S 


D 


S 


5/8 


0 


3/8 


m 


s 


D 


D 


0 


1 

2 


1 

2 


IV 


D 


S 


D 


iA 


iA 


1 

2 




D 


D 


S 




3/3 


5/8 


IB 


D 


D 


D 




iA 


1 

2 



(c) Result (ii) from states I, III and V will leave R 1 at an offset of 

one, i.e. at the next position of text we shall have state I or IV. 

Result (ii) from states IV and VI will leave R' at an offset of two, 

which implies that if the P/L is D for the next two positions there 
is a l/l6 chance of Q and R' coalescing; other ways of coalescing 
from such a state are of course possible but are less likely and 
would take longer. 
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00 



into a causal repeat* 

Once set-up, such repeats will only end when the P/L 
diverges* For the attaok to progress any further we 
now nood some knowledge of the P/L* It is not necessary 
to crib the tiro texts of a repeat but we must know whether 
the respective P bits ore S or D in the positions succeeding 
the end of it* Let us assume that most or all such repeats 
end as follows 



P r ... 010101010101 
P 2 ...* 0 10101101010 



(c) 



(a) 



(e) 



.... SSSSSSDDDDDD 

If the repeat ends at time 1, we shall have D at at time 2* 

If Qj is not plugged K will be S in all cases and we can go 

on to time 3» 4 etc* until we find 'q n . Now let us examine 
all pairs of positions where there is D at "Q" and 3 at all 
subsequent stages* At 3/8 of these pairs K will be D. 
Examination of these pairs where K is D will inmediatcly 
identify the other 3 stages plugged to the converter to 
which "q” is plugged* 

We now take the 5/8 x 1780 pairs where K is S and repeat 
the process cm the second plugged stage in Q using only 
those pairs where the alignment of H" has not been affected 
by D at Q", and so on. 

With luck we can recover most of the plugging* In a less 
favourable case and with less than perfect knowledge of 
the P/L we should get some way. If the machine has been 
partially solved the amount of further work required is 
indicated below* 



Number of converters 
solved 

0 

1 

2 

3 



Approximate ave age number of distinct 
pluggings still to be tested 



10 



10 



14*7 

>7 



10 



4* 8 



Those figures give the order of reduction obtained* In practice 
secondary attacks would not assume all the remaining pluggings simultaneously. 
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(f) 



It is less easy to apply this attack to the beginning of 
repoats because of the random v/alk rings* However, it 
will be seen from the table. m paragraph 7(b) that 
coalescence will either arise from stateSlV or VI at 
the very beginning of a P/L repeat or will arise from 
State II in the middle of such a repeat* If there is 
much silence the second method is more likely* In this case 
we shall have a large number of situations analogous to 
the enct-of-repeat situations discussed above, and the same 
sort of attack will appply* 



(a) 



The WF consists mainly of the initial sort for causal cipher 
repeats, and, since 1 Cr 
number of bits required, 

(logg 10 y -l) = 10 sorting operations* 



is an outside estimate of t^e 
t, will be less than about 



10 * 



9* Statistical Attacks 



(a) 



These require statistical cribbing of the delta of the plain 
text at distance one. It does not matter whether the cribbed 
bits are consecutive nr not* The number of assumptions 
required depends an the amount of crib available* N<*te A 
describes two attacks: 



Amount of exact delta crib needed 
8.29 

10 bits = 129 minutes' transmission 
5*16 

IQ bits = 5*7 seconds' transmission 



Work Factor 

3 10.8 

13* 9 

10 " operations 



in 10 * 8 

10 operations 



These are the outside figures* 
interpolated between them. 



Others can be suitably 



(b) 



If the available coib is not exact but statistical more text 
is needed and the WF is correspondingly larger. See paragraph 
14 for a general discussion of cribbing for these attacks* 



(c) Hie statistical attacks are only possible because the random 
walk rings step "0 and 1"* If it was inpossible for them 
to hesitate - if they stepped "1 and 2" for instance - 
the attacks would be completely blocked* 



10 . 



Summary 





EO 3.3 (h) (2) 

jPL 86-36/50 USC 3605 



NOTE A 



STATISTICAL ATTWXS 



11. Properties of the Gorabining Systcn (see Figure l) 

(a) The converters 

(i) If a is 0, p(a = x) = £(l + £) 

If a is 1, p(a = x) = z(l + 1/4) 

where p(H) is the probability that H is true. 

Sinilarly for b» o and d. 

The average probability therefore is 
p(a = x) = i(l + 3/8/: 

(ii) If a = b = ab = 1, p(ab = x) = £(l+4 
if ab = 0, p(ab = x) = ir(l + 

Similarly for the pair o,d. 

The average probability therefore is 
p(ab = x) = 2(1 + 5/8). 

(iii) If a = o = 0 p(ac = x) = i(l + 1) 

If a = o = 1, p(ac = x) s + i) 

If a + o = 1, p(ac = x) = £(l + 0) 

Similarly for the pairs a/L; b,o; b,a. 

The average probability therefore is ■§•(.1+3/8) • 

(iv) if one input to a converter is recovered the probability 
that the output retrains unchanged is ?(l + l/4) 

(b) The random walk rings 

If r, is the output of a ring at tine i, 

p ( r i = + x ) = ? (1 + i) 

P( r i = r ± + 2 ) = V4 + i . £ + 1/4. 3/8 = £(1 + 3/16) 

(o) The key 

The final key is flat by monobics. However since for 

No. 97 - 9 - /MMmmk 
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converter p(x = ff) = i(l + 1 ) t 

8 , 



NOTE A 



p(K = K i) = £(l + (1 ) 8 (i) 2 ) = k (1 + 10 

xx 8 

8 2 

and p(K. = K. + 2 ) = ^ (X + (1 ) (^) ) » i (l + 10" 
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Other methods 
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(a) The foregoing has described only 2 particular attacks, where 
4 and 8 points are assumed respectively. It is of course 
equally valid to assume 5> 6 or 7 points, according to the 
amount of crib available on a given day. Unless crib is 
very hard to come by, it is probably not economical to 
assume a 3rd input to a converter. 

(b) In paragraphs 12 and 13 we required sufficient text each time 
to prove or disprove each plugging assumption. ’.7e could 
alternatively have run all plugging assumptions through a 
shorter stretch of text, and combined the answers. This 
method would incidentally recover the whole plugging a 
go. 
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